2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.102 2002/03/18 17:50:31 provos Exp $");
15 #if defined(KRB4) || defined(KRB5)
27 #include "pathnames.h"
28 #include "tildexpand.h"
34 static void add_listen_addr(ServerOptions *, char *, u_short);
35 static void add_one_listen_addr(ServerOptions *, char *, u_short);
37 /* AF_UNSPEC or AF_INET or AF_INET6 */
39 /* Use of privilege separation or not */
40 extern int use_privsep;
42 /* Initializes the server options to their default values. */
45 initialize_server_options(ServerOptions *options)
47 memset(options, 0, sizeof(*options));
49 /* Portable-specific options */
50 options->pam_authentication_via_kbd_int = -1;
52 /* Standard Options */
53 options->num_ports = 0;
54 options->ports_from_cmdline = 0;
55 options->listen_addrs = NULL;
56 options->num_host_key_files = 0;
57 options->pid_file = NULL;
58 options->server_key_bits = -1;
59 options->login_grace_time = -1;
60 options->key_regeneration_time = -1;
61 options->permit_root_login = PERMIT_NOT_SET;
62 options->ignore_rhosts = -1;
63 options->ignore_user_known_hosts = -1;
64 options->print_motd = -1;
65 options->print_lastlog = -1;
66 options->x11_forwarding = -1;
67 options->x11_display_offset = -1;
68 options->x11_use_localhost = -1;
69 options->xauth_location = NULL;
70 options->strict_modes = -1;
71 options->keepalives = -1;
72 options->log_facility = SYSLOG_FACILITY_NOT_SET;
73 options->log_level = SYSLOG_LEVEL_NOT_SET;
74 options->rhosts_authentication = -1;
75 options->rhosts_rsa_authentication = -1;
76 options->hostbased_authentication = -1;
77 options->hostbased_uses_name_from_packet_only = -1;
78 options->rsa_authentication = -1;
79 options->pubkey_authentication = -1;
80 #if defined(KRB4) || defined(KRB5)
81 options->kerberos_authentication = -1;
82 options->kerberos_or_local_passwd = -1;
83 options->kerberos_ticket_cleanup = -1;
85 #if defined(AFS) || defined(KRB5)
86 options->kerberos_tgt_passing = -1;
89 options->afs_token_passing = -1;
91 options->password_authentication = -1;
92 options->kbd_interactive_authentication = -1;
93 options->challenge_response_authentication = -1;
94 options->permit_empty_passwd = -1;
95 options->use_login = -1;
96 options->allow_tcp_forwarding = -1;
97 options->num_allow_users = 0;
98 options->num_deny_users = 0;
99 options->num_allow_groups = 0;
100 options->num_deny_groups = 0;
101 options->ciphers = NULL;
102 options->macs = NULL;
103 options->protocol = SSH_PROTO_UNKNOWN;
104 options->gateway_ports = -1;
105 options->num_subsystems = 0;
106 options->max_startups_begin = -1;
107 options->max_startups_rate = -1;
108 options->max_startups = -1;
109 options->banner = NULL;
110 options->verify_reverse_mapping = -1;
111 options->client_alive_interval = -1;
112 options->client_alive_count_max = -1;
113 options->authorized_keys_file = NULL;
114 options->authorized_keys_file2 = NULL;
116 options->unprivileged_user = -1;
117 options->unprivileged_group = -1;
118 options->unprivileged_dir = NULL;
120 /* Needs to be accessable in many places */
125 fill_default_server_options(ServerOptions *options)
127 /* Portable-specific options */
128 if (options->pam_authentication_via_kbd_int == -1)
129 options->pam_authentication_via_kbd_int = 0;
131 /* Standard Options */
132 if (options->protocol == SSH_PROTO_UNKNOWN)
133 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
134 if (options->num_host_key_files == 0) {
135 /* fill default hostkeys for protocols */
136 if (options->protocol & SSH_PROTO_1)
137 options->host_key_files[options->num_host_key_files++] =
139 if (options->protocol & SSH_PROTO_2) {
140 options->host_key_files[options->num_host_key_files++] =
141 _PATH_HOST_RSA_KEY_FILE;
142 options->host_key_files[options->num_host_key_files++] =
143 _PATH_HOST_DSA_KEY_FILE;
146 if (options->num_ports == 0)
147 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
148 if (options->listen_addrs == NULL)
149 add_listen_addr(options, NULL, 0);
150 if (options->pid_file == NULL)
151 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
152 if (options->server_key_bits == -1)
153 options->server_key_bits = 768;
154 if (options->login_grace_time == -1)
155 options->login_grace_time = 600;
156 if (options->key_regeneration_time == -1)
157 options->key_regeneration_time = 3600;
158 if (options->permit_root_login == PERMIT_NOT_SET)
159 options->permit_root_login = PERMIT_YES;
160 if (options->ignore_rhosts == -1)
161 options->ignore_rhosts = 1;
162 if (options->ignore_user_known_hosts == -1)
163 options->ignore_user_known_hosts = 0;
164 if (options->print_motd == -1)
165 options->print_motd = 1;
166 if (options->print_lastlog == -1)
167 options->print_lastlog = 1;
168 if (options->x11_forwarding == -1)
169 options->x11_forwarding = 0;
170 if (options->x11_display_offset == -1)
171 options->x11_display_offset = 10;
172 if (options->x11_use_localhost == -1)
173 options->x11_use_localhost = 1;
174 if (options->xauth_location == NULL)
175 options->xauth_location = _PATH_XAUTH;
176 if (options->strict_modes == -1)
177 options->strict_modes = 1;
178 if (options->keepalives == -1)
179 options->keepalives = 1;
180 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
181 options->log_facility = SYSLOG_FACILITY_AUTH;
182 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
183 options->log_level = SYSLOG_LEVEL_INFO;
184 if (options->rhosts_authentication == -1)
185 options->rhosts_authentication = 0;
186 if (options->rhosts_rsa_authentication == -1)
187 options->rhosts_rsa_authentication = 0;
188 if (options->hostbased_authentication == -1)
189 options->hostbased_authentication = 0;
190 if (options->hostbased_uses_name_from_packet_only == -1)
191 options->hostbased_uses_name_from_packet_only = 0;
192 if (options->rsa_authentication == -1)
193 options->rsa_authentication = 1;
194 if (options->pubkey_authentication == -1)
195 options->pubkey_authentication = 1;
196 #if defined(KRB4) || defined(KRB5)
197 if (options->kerberos_authentication == -1)
198 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
199 if (options->kerberos_or_local_passwd == -1)
200 options->kerberos_or_local_passwd = 1;
201 if (options->kerberos_ticket_cleanup == -1)
202 options->kerberos_ticket_cleanup = 1;
204 #if defined(AFS) || defined(KRB5)
205 if (options->kerberos_tgt_passing == -1)
206 options->kerberos_tgt_passing = 0;
209 if (options->afs_token_passing == -1)
210 options->afs_token_passing = k_hasafs();
212 if (options->password_authentication == -1)
213 options->password_authentication = 1;
214 if (options->kbd_interactive_authentication == -1)
215 options->kbd_interactive_authentication = 0;
216 if (options->challenge_response_authentication == -1)
217 options->challenge_response_authentication = 1;
218 if (options->permit_empty_passwd == -1)
219 options->permit_empty_passwd = 0;
220 if (options->use_login == -1)
221 options->use_login = 0;
222 if (options->allow_tcp_forwarding == -1)
223 options->allow_tcp_forwarding = 1;
224 if (options->gateway_ports == -1)
225 options->gateway_ports = 0;
226 if (options->max_startups == -1)
227 options->max_startups = 10;
228 if (options->max_startups_rate == -1)
229 options->max_startups_rate = 100; /* 100% */
230 if (options->max_startups_begin == -1)
231 options->max_startups_begin = options->max_startups;
232 if (options->verify_reverse_mapping == -1)
233 options->verify_reverse_mapping = 0;
234 if (options->client_alive_interval == -1)
235 options->client_alive_interval = 0;
236 if (options->client_alive_count_max == -1)
237 options->client_alive_count_max = 3;
238 if (options->authorized_keys_file2 == NULL) {
239 /* authorized_keys_file2 falls back to authorized_keys_file */
240 if (options->authorized_keys_file != NULL)
241 options->authorized_keys_file2 = options->authorized_keys_file;
243 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
245 if (options->authorized_keys_file == NULL)
246 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
248 /* Turn privilege separation _off_ by default */
249 if (use_privsep == -1)
251 if (options->unprivileged_user == -1)
252 options->unprivileged_user = 32767;
253 if (options->unprivileged_group == -1)
254 options->unprivileged_group = 32767;
255 if (options->unprivileged_dir == NULL)
256 options->unprivileged_dir = "/var/empty";
259 /* Keyword tokens. */
261 sBadOption, /* == unknown option */
262 /* Portable-specific options */
263 sPAMAuthenticationViaKbdInt,
264 /* Standard Options */
265 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
266 sPermitRootLogin, sLogFacility, sLogLevel,
267 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
268 #if defined(KRB4) || defined(KRB5)
269 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
271 #if defined(AFS) || defined(KRB5)
277 sChallengeResponseAuthentication,
278 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
279 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
280 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
281 sStrictModes, sEmptyPasswd, sKeepAlives,
282 sUseLogin, sAllowTcpForwarding,
283 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
284 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
285 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
286 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
287 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
288 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
289 sUsePrivilegeSeparation, sUnprivUser, sUnprivGroup, sUnprivDir,
293 /* Textual representation of the tokens. */
296 ServerOpCodes opcode;
298 /* Portable-specific options */
299 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
300 /* Standard Options */
302 { "hostkey", sHostKeyFile },
303 { "hostdsakey", sHostKeyFile }, /* alias */
304 { "pidfile", sPidFile },
305 { "serverkeybits", sServerKeyBits },
306 { "logingracetime", sLoginGraceTime },
307 { "keyregenerationinterval", sKeyRegenerationTime },
308 { "permitrootlogin", sPermitRootLogin },
309 { "syslogfacility", sLogFacility },
310 { "loglevel", sLogLevel },
311 { "rhostsauthentication", sRhostsAuthentication },
312 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
313 { "hostbasedauthentication", sHostbasedAuthentication },
314 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
315 { "rsaauthentication", sRSAAuthentication },
316 { "pubkeyauthentication", sPubkeyAuthentication },
317 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
318 #if defined(KRB4) || defined(KRB5)
319 { "kerberosauthentication", sKerberosAuthentication },
320 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
321 { "kerberosticketcleanup", sKerberosTicketCleanup },
323 #if defined(AFS) || defined(KRB5)
324 { "kerberostgtpassing", sKerberosTgtPassing },
327 { "afstokenpassing", sAFSTokenPassing },
329 { "passwordauthentication", sPasswordAuthentication },
330 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
331 { "challengeresponseauthentication", sChallengeResponseAuthentication },
332 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
333 { "checkmail", sDeprecated },
334 { "listenaddress", sListenAddress },
335 { "printmotd", sPrintMotd },
336 { "printlastlog", sPrintLastLog },
337 { "ignorerhosts", sIgnoreRhosts },
338 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
339 { "x11forwarding", sX11Forwarding },
340 { "x11displayoffset", sX11DisplayOffset },
341 { "x11uselocalhost", sX11UseLocalhost },
342 { "xauthlocation", sXAuthLocation },
343 { "strictmodes", sStrictModes },
344 { "permitemptypasswords", sEmptyPasswd },
345 { "uselogin", sUseLogin },
346 { "keepalive", sKeepAlives },
347 { "allowtcpforwarding", sAllowTcpForwarding },
348 { "allowusers", sAllowUsers },
349 { "denyusers", sDenyUsers },
350 { "allowgroups", sAllowGroups },
351 { "denygroups", sDenyGroups },
352 { "ciphers", sCiphers },
354 { "protocol", sProtocol },
355 { "gatewayports", sGatewayPorts },
356 { "subsystem", sSubsystem },
357 { "maxstartups", sMaxStartups },
358 { "banner", sBanner },
359 { "verifyreversemapping", sVerifyReverseMapping },
360 { "reversemappingcheck", sVerifyReverseMapping },
361 { "clientaliveinterval", sClientAliveInterval },
362 { "clientalivecountmax", sClientAliveCountMax },
363 { "authorizedkeysfile", sAuthorizedKeysFile },
364 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
365 { "useprivilegeseparation", sUsePrivilegeSeparation},
366 { "unprivuser", sUnprivUser},
367 { "unprivgroup", sUnprivGroup},
368 { "unprivdir", sUnprivDir},
373 * Returns the number of the token pointed to by cp or sBadOption.
377 parse_token(const char *cp, const char *filename,
382 for (i = 0; keywords[i].name; i++)
383 if (strcasecmp(cp, keywords[i].name) == 0)
384 return keywords[i].opcode;
386 error("%s: line %d: Bad configuration option: %s",
387 filename, linenum, cp);
392 add_listen_addr(ServerOptions *options, char *addr, u_short port)
396 if (options->num_ports == 0)
397 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
399 for (i = 0; i < options->num_ports; i++)
400 add_one_listen_addr(options, addr, options->ports[i]);
402 add_one_listen_addr(options, addr, port);
406 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
408 struct addrinfo hints, *ai, *aitop;
409 char strport[NI_MAXSERV];
412 memset(&hints, 0, sizeof(hints));
413 hints.ai_family = IPv4or6;
414 hints.ai_socktype = SOCK_STREAM;
415 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
416 snprintf(strport, sizeof strport, "%d", port);
417 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
418 fatal("bad addr or host: %s (%s)",
419 addr ? addr : "<NULL>",
420 gai_strerror(gaierr));
421 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
423 ai->ai_next = options->listen_addrs;
424 options->listen_addrs = aitop;
428 process_server_config_line(ServerOptions *options, char *line,
429 const char *filename, int linenum)
431 char *cp, **charptr, *arg, *p;
433 ServerOpCodes opcode;
438 /* Ignore leading whitespace */
441 if (!arg || !*arg || *arg == '#')
445 opcode = parse_token(arg, filename, linenum);
447 /* Portable-specific options */
448 case sPAMAuthenticationViaKbdInt:
449 intptr = &options->pam_authentication_via_kbd_int;
452 /* Standard Options */
456 /* ignore ports from configfile if cmdline specifies ports */
457 if (options->ports_from_cmdline)
459 if (options->listen_addrs != NULL)
460 fatal("%s line %d: ports must be specified before "
461 "ListenAddress.", filename, linenum);
462 if (options->num_ports >= MAX_PORTS)
463 fatal("%s line %d: too many ports.",
466 if (!arg || *arg == '\0')
467 fatal("%s line %d: missing port number.",
469 options->ports[options->num_ports++] = a2port(arg);
470 if (options->ports[options->num_ports-1] == 0)
471 fatal("%s line %d: Badly formatted port number.",
476 intptr = &options->server_key_bits;
479 if (!arg || *arg == '\0')
480 fatal("%s line %d: missing integer value.",
487 case sLoginGraceTime:
488 intptr = &options->login_grace_time;
491 if (!arg || *arg == '\0')
492 fatal("%s line %d: missing time value.",
494 if ((value = convtime(arg)) == -1)
495 fatal("%s line %d: invalid time value.",
501 case sKeyRegenerationTime:
502 intptr = &options->key_regeneration_time;
507 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
508 fatal("%s line %d: missing inet addr.",
511 if ((p = strchr(arg, ']')) == NULL)
512 fatal("%s line %d: bad ipv6 inet addr usage.",
515 memmove(p, p+1, strlen(p+1)+1);
516 } else if (((p = strchr(arg, ':')) == NULL) ||
517 (strchr(p+1, ':') != NULL)) {
518 add_listen_addr(options, arg, 0);
526 fatal("%s line %d: bad inet addr:port usage.",
530 if ((port = a2port(p)) == 0)
531 fatal("%s line %d: bad port number.",
533 add_listen_addr(options, arg, port);
535 } else if (*p == '\0')
536 add_listen_addr(options, arg, 0);
538 fatal("%s line %d: bad inet addr usage.",
543 intptr = &options->num_host_key_files;
544 if (*intptr >= MAX_HOSTKEYS)
545 fatal("%s line %d: too many host keys specified (max %d).",
546 filename, linenum, MAX_HOSTKEYS);
547 charptr = &options->host_key_files[*intptr];
550 if (!arg || *arg == '\0')
551 fatal("%s line %d: missing file name.",
553 if (*charptr == NULL) {
554 *charptr = tilde_expand_filename(arg, getuid());
555 /* increase optional counter */
557 *intptr = *intptr + 1;
562 charptr = &options->pid_file;
565 case sPermitRootLogin:
566 intptr = &options->permit_root_login;
568 if (!arg || *arg == '\0')
569 fatal("%s line %d: missing yes/"
570 "without-password/forced-commands-only/no "
571 "argument.", filename, linenum);
572 value = 0; /* silence compiler */
573 if (strcmp(arg, "without-password") == 0)
574 value = PERMIT_NO_PASSWD;
575 else if (strcmp(arg, "forced-commands-only") == 0)
576 value = PERMIT_FORCED_ONLY;
577 else if (strcmp(arg, "yes") == 0)
579 else if (strcmp(arg, "no") == 0)
582 fatal("%s line %d: Bad yes/"
583 "without-password/forced-commands-only/no "
584 "argument: %s", filename, linenum, arg);
590 intptr = &options->ignore_rhosts;
593 if (!arg || *arg == '\0')
594 fatal("%s line %d: missing yes/no argument.",
596 value = 0; /* silence compiler */
597 if (strcmp(arg, "yes") == 0)
599 else if (strcmp(arg, "no") == 0)
602 fatal("%s line %d: Bad yes/no argument: %s",
603 filename, linenum, arg);
608 case sIgnoreUserKnownHosts:
609 intptr = &options->ignore_user_known_hosts;
612 case sRhostsAuthentication:
613 intptr = &options->rhosts_authentication;
616 case sRhostsRSAAuthentication:
617 intptr = &options->rhosts_rsa_authentication;
620 case sHostbasedAuthentication:
621 intptr = &options->hostbased_authentication;
624 case sHostbasedUsesNameFromPacketOnly:
625 intptr = &options->hostbased_uses_name_from_packet_only;
628 case sRSAAuthentication:
629 intptr = &options->rsa_authentication;
632 case sPubkeyAuthentication:
633 intptr = &options->pubkey_authentication;
635 #if defined(KRB4) || defined(KRB5)
636 case sKerberosAuthentication:
637 intptr = &options->kerberos_authentication;
640 case sKerberosOrLocalPasswd:
641 intptr = &options->kerberos_or_local_passwd;
644 case sKerberosTicketCleanup:
645 intptr = &options->kerberos_ticket_cleanup;
648 #if defined(AFS) || defined(KRB5)
649 case sKerberosTgtPassing:
650 intptr = &options->kerberos_tgt_passing;
654 case sAFSTokenPassing:
655 intptr = &options->afs_token_passing;
659 case sPasswordAuthentication:
660 intptr = &options->password_authentication;
663 case sKbdInteractiveAuthentication:
664 intptr = &options->kbd_interactive_authentication;
667 case sChallengeResponseAuthentication:
668 intptr = &options->challenge_response_authentication;
672 intptr = &options->print_motd;
676 intptr = &options->print_lastlog;
680 intptr = &options->x11_forwarding;
683 case sX11DisplayOffset:
684 intptr = &options->x11_display_offset;
687 case sX11UseLocalhost:
688 intptr = &options->x11_use_localhost;
692 charptr = &options->xauth_location;
696 intptr = &options->strict_modes;
700 intptr = &options->keepalives;
704 intptr = &options->permit_empty_passwd;
708 intptr = &options->use_login;
712 intptr = &options->gateway_ports;
715 case sVerifyReverseMapping:
716 intptr = &options->verify_reverse_mapping;
720 intptr = (int *) &options->log_facility;
722 value = log_facility_number(arg);
723 if (value == SYSLOG_FACILITY_NOT_SET)
724 fatal("%.200s line %d: unsupported log facility '%s'",
725 filename, linenum, arg ? arg : "<NONE>");
727 *intptr = (SyslogFacility) value;
731 intptr = (int *) &options->log_level;
733 value = log_level_number(arg);
734 if (value == SYSLOG_LEVEL_NOT_SET)
735 fatal("%.200s line %d: unsupported log level '%s'",
736 filename, linenum, arg ? arg : "<NONE>");
738 *intptr = (LogLevel) value;
741 case sAllowTcpForwarding:
742 intptr = &options->allow_tcp_forwarding;
745 case sUsePrivilegeSeparation:
746 intptr = &use_privsep;
750 intptr = &options->unprivileged_user;
754 intptr = &options->unprivileged_group;
758 charptr = &options->unprivileged_dir;
762 while ((arg = strdelim(&cp)) && *arg != '\0') {
763 if (options->num_allow_users >= MAX_ALLOW_USERS)
764 fatal("%s line %d: too many allow users.",
766 options->allow_users[options->num_allow_users++] = xstrdup(arg);
771 while ((arg = strdelim(&cp)) && *arg != '\0') {
772 if (options->num_deny_users >= MAX_DENY_USERS)
773 fatal( "%s line %d: too many deny users.",
775 options->deny_users[options->num_deny_users++] = xstrdup(arg);
780 while ((arg = strdelim(&cp)) && *arg != '\0') {
781 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
782 fatal("%s line %d: too many allow groups.",
784 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
789 while ((arg = strdelim(&cp)) && *arg != '\0') {
790 if (options->num_deny_groups >= MAX_DENY_GROUPS)
791 fatal("%s line %d: too many deny groups.",
793 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
799 if (!arg || *arg == '\0')
800 fatal("%s line %d: Missing argument.", filename, linenum);
801 if (!ciphers_valid(arg))
802 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
803 filename, linenum, arg ? arg : "<NONE>");
804 if (options->ciphers == NULL)
805 options->ciphers = xstrdup(arg);
810 if (!arg || *arg == '\0')
811 fatal("%s line %d: Missing argument.", filename, linenum);
813 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
814 filename, linenum, arg ? arg : "<NONE>");
815 if (options->macs == NULL)
816 options->macs = xstrdup(arg);
820 intptr = &options->protocol;
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing argument.", filename, linenum);
824 value = proto_spec(arg);
825 if (value == SSH_PROTO_UNKNOWN)
826 fatal("%s line %d: Bad protocol spec '%s'.",
827 filename, linenum, arg ? arg : "<NONE>");
828 if (*intptr == SSH_PROTO_UNKNOWN)
833 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
834 fatal("%s line %d: too many subsystems defined.",
838 if (!arg || *arg == '\0')
839 fatal("%s line %d: Missing subsystem name.",
841 for (i = 0; i < options->num_subsystems; i++)
842 if (strcmp(arg, options->subsystem_name[i]) == 0)
843 fatal("%s line %d: Subsystem '%s' already defined.",
844 filename, linenum, arg);
845 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
847 if (!arg || *arg == '\0')
848 fatal("%s line %d: Missing subsystem command.",
850 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
851 options->num_subsystems++;
856 if (!arg || *arg == '\0')
857 fatal("%s line %d: Missing MaxStartups spec.",
859 if ((n = sscanf(arg, "%d:%d:%d",
860 &options->max_startups_begin,
861 &options->max_startups_rate,
862 &options->max_startups)) == 3) {
863 if (options->max_startups_begin >
864 options->max_startups ||
865 options->max_startups_rate > 100 ||
866 options->max_startups_rate < 1)
867 fatal("%s line %d: Illegal MaxStartups spec.",
870 fatal("%s line %d: Illegal MaxStartups spec.",
873 options->max_startups = options->max_startups_begin;
877 charptr = &options->banner;
880 * These options can contain %X options expanded at
881 * connect time, so that you can specify paths like:
883 * AuthorizedKeysFile /etc/ssh_keys/%u
885 case sAuthorizedKeysFile:
886 case sAuthorizedKeysFile2:
887 charptr = (opcode == sAuthorizedKeysFile ) ?
888 &options->authorized_keys_file :
889 &options->authorized_keys_file2;
892 case sClientAliveInterval:
893 intptr = &options->client_alive_interval;
896 case sClientAliveCountMax:
897 intptr = &options->client_alive_count_max;
901 log("%s line %d: Deprecated option %s",
902 filename, linenum, arg);
908 fatal("%s line %d: Missing handler for opcode %s (%d)",
909 filename, linenum, arg, opcode);
911 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
912 fatal("%s line %d: garbage at end of line; \"%.200s\".",
913 filename, linenum, arg);
917 /* Reads the server configuration file. */
920 read_server_config(ServerOptions *options, const char *filename)
927 f = fopen(filename, "r");
933 while (fgets(line, sizeof(line), f)) {
934 /* Update line number counter. */
936 if (process_server_config_line(options, line, filename, linenum) != 0)
941 fatal("%s: terminating, %d bad configuration options",
942 filename, bad_options);